Field Note

How to Identify a Phishing Attack

August 09, 2019

Learn how to recognize & avoid phishing scams

By Arielle Mullen

As the internet has grown increasingly crowded, phishing attacks are becoming a common occurrence. A form of social engineering, phishing is one of the most prevalent security challenges facing companies and individuals. While the attempts have gotten more sophisticated over time, there are still a number of ways to identify an attack without falling into their trap. With that in mind, we've compiled our tips on what to look for that will help you avoid falling prey to a phishing attempt.

"Please confirm your login information"

Keep an eye out for messages requesting that you confirm personal information, like login credentials, credit card information, tax numbers, or credit scores.

"Dear valued member..."

Companies that deal with you directly will usually call you by your name, rather than "valued member" or "account holder." This won't always be the case, but it's definitely a clue to watch out for.

Check the sender's email address

If an email seems suspicious, look at the domain included in the sender's email address. Look for numbers or letters that have added (think "info@paypal.com" vs. "info@paypal123.com"). Keep in mind that sometimes companies will use unique domains or third party platforms to send emails, but if you have doubts about the email's legitimacy, don't be afraid to reach out to the company directly. Check for misspelled domain names as well, as this is a commonly employed tactic.

Pay attention to company logos

Oftentimes a phishing email will include a company logo that's just ever-so-slightly off. This could be a different font, logo colors, or missing elements.

Look out for grammatical errors

The most common and sometimes easiest identifier is bad grammar/misspelled words. Everyone makes mistakes, so this is another phishing red flag that won't always be a definite sign, but generally emails from legitimate organizations will be well written. Assess the context of any errors and ask yourself if the typos were commonly made mistakes (like accidentally hitting an adjacent key), and if the language is consistent with past messages you've received from the sender.

Are they trying to force you to their website?

A commonly used tactic is to code an entire email as a link, so that clicking anywhere within it would mean you'd fallen into their trap. Before clicking any links, hover your mouse and ensure that the domain displayed checks out, and that it begins with "https://".

Are they sending you unsolicited attachments?

Unexpected emails that contain attachments are a huge red flag. Legitimate companies generally won't send you emails with attachments, so proceed with caution. Attachment file types that are particularly high-risk include .exe, .scr, and .zip. When in doubt, contact the company directly to confirm they sent the message.

One of the best ways you can help protect your company against phishing attacks is to educate employees on how to recognize the signs. If you have questions about this field note, or would like to discuss how our consultants can help train your employees to avoid phishing, get in touch with us!